10

I'm running Hydra against a vulnerable VM running on my own server. I'm trying to find the password for the "admin" username.

This is the command I ran:

hydra -vV -l admin -P /root/Documents/000webhost.txt 10.0.2.10 http-post-form '/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'

After sometime running, I got this message:

[80][http-post-form] host: 10.0.2.10   login: admin
[STATUS] attack finished for 10.0.2.10 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-12-27 18:12:43

It says it found the password, but it does not show that password.

Usually the password is shown in the line that also says "login: admin".

Any idea of whats going on? Thanks.

EDIT

I seam to have found the issue. There is an empty line/password (i.e. "") in the file. This empty password is shown to be attempted 19 lines before the "result" output:

[ATTEMPT] target 10.0.2.10 - login "admin" - pass "" - 15067 of 720303 [child 10] (0/0)

I inputted the "" as the password directly in the target web app and the response it gives is different from "is incorrect", thus causing the false positive. What is strange is that Hydra does not output it.

I created a smaller passwords file with an empty line, and the issue was repeated. I then removed the empty line from the file and ran Hydra again, this time without getting the false positive.

Thanks again.

MyName
  • 271
  • 1
  • 2
  • 10
  • OOh, sounds like you've found some SQLi! – thel3l Dec 28 '17 at 02:50
  • Also the "" probably indicates a Null - Hydra probably sent a blank password in the request - check for SQLi though, sounds promising. – thel3l Dec 28 '17 at 02:51
  • I think the app handles it correctly. It just happens that they show "The password is empty" instead of "is incorrect". But I did ran sqlmap on it and it didn't find an injection point (although I may be messing sqlmap syntax). – MyName Dec 28 '17 at 10:58
  • Interesting. That probably explains it. It looks like you've found the solution, so might want to post and mark your own answer? – thel3l Dec 28 '17 at 11:15
  • @thel3l - do you know if Hydra can take multiple failure messages and applied them with an OR operator? Thanks. – MyName Dec 28 '17 at 11:16

1 Answers1

7

The passwords file that I've sent to Hydra contains an empty line (i.e. ""). When this value is sent to the web app, the response is "The password is empty", which is different from the "is incorrect" that it returns for most other passwords and that I sent to Hydra.

A similar thing happens when the password is "0", although, in this case, Hydra does show the attempted password.

For the time being, I removed those two entries from the passwords file, which avoids the false positive I was getting.

If someone knows a way to tell Hydra to support multiple "failure" strings, please let me know. Thanks.

MyName
  • 271
  • 1
  • 2
  • 10